Executive Liability for Data Breach Notification Delay?

The outrage that followed Uber’s revelation that hackers had accessed 57 million passenger and drive records was not about the breach itself. It was about the accompanying disclosure that the company had kept the news of the data breach secret after paying the hackers a ransom. The outrage at these disclosures was not lost on lawmakers in Washington. A measure was recently introduced in Congress that would impose new criminal penalties on anyone convicted of “intentionally and willfully” concealing a data breach, including fines and up to five years imprisonment, or both. This proposed provision is only one of several measure intended to ensure that companies quickly notify affected persons that a data breach has occurred.

As discussed here, the new measure to make it a criminal offense to withhold data breach notification was introduced the U.S. Senate as part of Data Security and Breach Notification Act, a Senate bill intended to implement nationwide data breach notification standards. (A copy of the proposed legislation can be found here. Hat tip to Cybersecurity Docket for the link to the new legislative provision.) Senator Richard Blumenthal, one of the bill’s sponsors, has been quoted in the press as saying that the Uber revelation is “yet another example of corporate carelessness in the face of a cyber intrusions,” adding that if the proposed data notification requirements are to have any teeth, they must come backed with “stiffer enforcement and stringent penalties.”

Although the Uber revelations may represent an unusual and extreme example, delays in reporting data breaches are a problem for other companies as well. For example, Equifax waited 41 days before disclosing that hackers had accessed over 143 consumer credit records. The Equifax situation represents a particularly telling example of the problems that can arise when companies delay disclosing that a data breach has occurred. In Equifax’s case, between the time the breach was discovered and the time the breach was disclosed, several executives sold some of their personal holdings of company stock. While an Equifax board committee organized to investigate the stock sales concluded that executives were unaware of the breach at the time they sold their shares, the executive’s stock sales are featured prominently in the securities class action lawsuit that has been filed against the company and certain of its directors and officers.

The SEC’s delay in disclosing that the agency itself had been hacked was particularly embarrassing for the agency and its new Chair. The agency was widely criticized for its delay in disclosing the breach of its EDGAR database. But in his testimony to Congress about the agency’s data breach, SEC Chair Jay Clayton defended the agency’s actions, including its delay in disclosing the breach, saying among other things that before he disclosed the breach he wanted to make sure that the agency’s internal investigation was far enough along that the agency could accurately convey the facts. He also emphasized that the agency needed to be sure that the vulnerability that the hackers had exploited had been eliminated before the agency disclosed the hack.

The prudential considerations Clayton cited in justifying the SEC’s delay in disclosing the hack highlight the problems that could complicate legal requirements setting absolute disclosure timetable requirements. Among the new and proposed data breach disclosure requirements that could be particularly problematic are the data notification requirements in the EU General Data Protection Requirement (GDPR), which goes into effect in May 2018.

The GDPR specifies in paragraph 85 that a controller of personal data that has been the subject of a breach must notify the supervisory authority of a breach with 72 hours of the discovery of the breach, unless the controller can demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. (All of the nouns used in this opaque regulatory provision are defined terms in the regulation.) The data breach notification requirement is just one of the many obligations in the regulation. The failure to satisfy the regulations requirements could have significant consequences for the organization involved; consequences could include heavy fines (up to 4% of annual global turnover or €20 Million).

A detailed discussion of who the GDPR applies to, as well as what its notification provisions actually require is beyond the scope of this blog post. I refer to it here as yet another example of how lawmakers and regulators are trying to ramp up the disclosure obligations on organizations that experience data breaches.

SEC Chair Clayton’s comments to Congress underscore the problems that organization’s grappling with a data breach will have in trying to fulfill aggressive notification timetables. As his comments highlighted, an organization that rushes its disclosure will risk making inaccurate disclosures. If new or additional facts are later uncovered, the company will be forced to make additional disclosures, opening the company to criticism for piecemeal revelations. Moreover, as his comments also highlight, disclosure of a breach before it knows that the vulnerability has been remedied could cause much more serious problems.

The total picture here is particularly disagreeable for the organizations dealing with a serious data breach. On the one hand, legal and regulatory requirements increasingly may require organizations to quickly disclose the occurrence of a data breach. On the other hand, the potential complications surrounding the breach and the difficulties in ascertain what has happened could create enormous challenges for organizations as they struggle to fulfill their disclosure obligations.

The conflicting requirements ensure that data breach-related issues will represent a significant challenge for organizations and their senior managers as well as a potentially significant area of liability exposures.

Disclaimer

The views expressed on this site are exclusively those of the author, and all of the content on this site has been created solely in the author's individual capacity. This site is not affiliated with his company, his colleagues, his clients, his relatives or any other institution or person living, dead, or yet to exist. Quotations from this site should credit The D & O Diary. However, this site may not be quoted in any legal brief or any other document to be filed with any Court unless the author has given his written consent in advance. This blog does not intend to provide legal advice. You should consult your own attorney in connection with matters affecting your own legal interests.